>> Hi, >> >> I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers >> using slapd-meta. >> The remote servers require SASL EXTERNAL authentication, so I have to >> configure TLS client auth. >> >> The relevant part of my slapd.conf looks like this: >> ------------------------------------------------- >> database meta >> suffix "dc=example" >> >> uri "ldaps://server2:636/cn=server2,dc=example" >> idassert-authzFrom "dn:*" >> idassert-bind bindmethod=sasl >> saslmech=EXTERNAL >> tls_cert=mycert.crt >> tls_key=mycert.key >> tls_cacert=trusted-ca.pem >> mode=none
Add tls start here to request TLS to be established on connections (see slapd-meta(5) for details). I think this should be implicitly enabled by idassert-bind when it requires TLS (or at least its need should be documented). p.
